For those that only follow the high profile security breaches that make the evening news, it’s likely obvious corporations in general are under constant attack. For every security breach that you hear about, hundreds go under the radar because the companies are not household names or the amount of data exposed is not enough to grab headlines.
Here are just a handful of breaches that have happened so far in 2015, most of which people are not talking about:
- Mandarin Oriental
- Natural Grocers
- Webnic Registrar
- White Lodging
Moral of the story…no organization is a low risk target any longer.
Therefore, I think it’s important to ask yourself, “What is the difference between an insider and a hacker?” I posed this question for a group of security professionals, and, after an intense debate, we agreed that there really is no difference except insiders are paid employees of the company and hackers extract their payment by selling a company's private information.
We should all understand the anatomy of a security breach. Once a client system is breached, the agenda is to get administrative and/or network privileges so you can move around the organization, hopefully using the identity of insiders.
The Verizon 2014 DBIR explains that 88 percent of privilege abuse / misuse "occur within the boundaries of trust necessary to perform normal duties." Equally concerning is fact that 58% of respondents in the BeyondTrust Privilege Gone Wild 2 report believe that internal security controls are insufficient to control privilege abuse. How is this still possible?
There is a generally accepted belief that we need to balance security and productivity. However, we often lean too far towards the productivity and this is at the cost of good security. In hindsight, would Sony, Target, Home Depot, etc., rather have implemented tighter security controls that could have prevented or limited the scope of their breaches at the cost of negligible loss in productivity due to increased security measures?
A number of vendors release surveys in the privilege and vulnerability markets that shed some light on a wide array of challenges when it comes to securing enterprises. In the recent BeyondTrust Privilege Gone Wild 2 report, there are some disturbing but not shocking findings:
- Excessive Privileges
47% of respondents report that users in their organizations possess privileges that are not necessary for their roles.
I wish I could say this is an easy problem to solve. You can ask any organization that has poured countless dollars into monolithic frameworks designed to help understand:
What is a user or segment of user entitled to do?
What is a user or segment of user entitled to access?
How to properly onboard a user for a segment of the organization
How to ensure as a user changes roles, their entitlements do not carry over
Poor Shared Password Management
50% of respondents indicated that shared passwords are managed on a case-by-case basis.
For many organizations the breach at Sony Pictures was like looking into a mirror. Many of the oversights, when it comes to managing sensitive/shared credentials are common place in numerous organizations.
It will take months if not years for organizations to implement what we know are security best practices around shared credentials. This is not an easy problem to solve because part solution is technical and part is driven by political process. The level of sophistication that hackers possess is not limited to the methods used to breach organizations. It also includes their knowledge of how organizations operate and the technical and political challenges those companies face.
A hacker’s goal is to exploit the soft underbelly of security weaknesses that most organizations have in common. You don’t know what you don't know, but you can educate yourself on how the market is changing. Therefore, take time to read the security reports and surveys companies release for public consumption. Many are jammed packed with details about your industry and current challenges. Others force you to assess your environment and question if the problems presented are ones you face. In BeyondTrust’s Privilege Gone Wild 2 report, 58% of the respondents believe their current controls against misuse are inadequate, immature or non-existent. Do you feel that the controls you have in place to protect against misuse are inadequate?